Author Archive - Trend Micro

Our monitoring of Operation Pawn Storm has led us to an interesting finding: the domain we previously reported hosting the Java 0-day used in the latest Pawn Storm campaign was modified to now lead to a Trend Micro IP address. Our investigations have shown that our systems have not been attacked or compromised. The attackers have simply redirected a DNS record to point to a Trend Micro IP address, likely in retaliation to our disclosure and the subsequent patching of the Orace Java zero-day vulnerability they were exploiting.

Figure 1. Changes in the Pawn Storm infection chain

The DNS A record of the domain ausameetings[.]com now points to 216.104.20.189, an IP address of Trend Micro. While it was serving the zero-day exploit, the IP address of ausameetings[.]com was 95[.]215[.]45[.]189.

Figure 2. DNS A record of ausameetings[.]com

We are not sure when the domain was pointed to Trend Micro, but based from DNS record naming convention, it is most likely modified to point to Trend Micro yesterday, July 14.

We do not have clear evidence that point to the cause behind these developments, but we see the following possible motives:

To serve as a form of retaliation by the Pawn Storm operators against Trend Micro for disclosing details about their most recent campaign

To mislead network administrators into associating our IP address to the attack, possibly causing admins to mistakenly block it

To deceive security researchers into thinking that the Trend Micro IP address is compromised or being misused by Operation Pawn Storm

It bears stressing that we found no traces of compromise or misuse. We will continue to monitor this and update this post as soon as there are relevant developments.

Operation Pawn Storm is a campaign known to target military, embassy, and defense contractor personnel from the United States and its allies. The attackers behind Operation Pawn Storm have been active since at least 2007 and they continue to launch new campaigns.

Over the past year or so, we have seen numerous techniques and tactics employed by this campaign, such as the use of an iOS espionage app, and the inclusion of new targets like the White House. Through our on-going investigation and monitoring of this targeted attack campaign, we found suspicious URLs that hosted a newly discovered zero-day exploit in Java now identified by Oracle as CVE-2015-2590. This is the first time in nearly two years that a new Java zero-day vulnerability was reported.

The report below outlines the traffic observed as part of the attack, not the exploit itself. Our blog entry on how the exploit itself works can be found here. This blog entry is intended to help readers identify traffic in their network that would indicate if such an exposure had occurred. We strongly recommend that all readers roll out the Oracle patch as soon as possible

Infection sequence

Trend Micro has observed that an entity belonging to the target profile received an email that contains the following URL:

hxxp://ausameetings[.]com/url?={BLOCKED}/2015annualmeeting/

It is worth noting that the spearphishing domain used is ausameetings[.]com, a play on the valid domain “ausameetings.org,” which is a site for AUSA’s (Association of the United States Army) annual exposition, commonly held in mid-October. The domain was only registered last July 8, which implies a one-time use for a specific set of targets.

When assessing this URL, it was determined that the most probable infection sequence is:

Figure 1. Infection chain

Like all multi-stage infections, a successful execution of the previous stage is required before moving to the next stage down. In Stage 1, the sequence is initiated by clicking on the URL embedded within the victim’s spearphishing email.

Once the Java exploit of Stage 1 is successful, it downloads the PE file (Stage 2). Once the PE file is downloaded and executed it drops and runs the DLL file (Stage 3) which is the final component to infect the machine with SEDNIT.

The information that we have on each of these steps is as follows.
Further information on each of these stages can be found in the sections below.

The network traffic observed for the infection sequence of this stage is:

Send the initial POST as per the spearphishing email to ausameetings[.]com, which includes the 2015annualmeeting URI path.

Send an encoded POST call, which, when decoded, is the variable to construct the subsequently used URI path. This is particularly interesting as it appears that each URI path on the malicious server is customized by the victim’s infection, rather than static on the web server.

The victim machine then does a variety of GET calls to pull down JPG, JNLP, and Java class files.

If the Java class files cannot be found on the primarily domain (ausameetings[.]com), it appears to instead attempt to get these files from a hardcoded IP (87[.]236[.]215[.]132).

Once the class files are downloaded, the victim machine then does a GET call to fetch the file cormac.mcr. This file is the PE file for Stage 2.

For completeness, the specific traffic calls observed relating to Stage 1 include the following:

The second and third traffic calls in the traffic pattern are particularly interesting to note.

Figure 2. Traffic patterns (click the image to enlarge)

One can observe that the second call sends a POST to ausumeetings[.]com, and is returned with a text responsecfa that then subsequently is used as the URI path for the subsequent HTTP requests.

Stage 2 – The PE file

Stage 2 involves downloading a PE file. Trend Micro detects this file as TROJ_DROPPR.CXC. The primary purpose of this PE is to drop and load the DLL executable. It is downloaded as Cormac.mcr, but once extracted, the file name is converted into a randomized file name. It is installed into the %USERPROFILE% directory and then executed, creating a service by the same name.

During its installation, a variety of other services also appear to be hooked, including lsass, lsm, andconhost, amongst others.

Figure 3. Observed processes (click the image to enlarge)

Once the malware is executed, it will drop the Stage 3 DLL file with filename api-ms-win-downlevel-profile-l1-1-0.dll in the %TEMP% directory. To load the malware, it executes rundll32.exe using the following command:

rundll32.exe “%temp%/api-ms-win-downlevel-profile-l1-1-0.dll”,init

Stage 3 – The DLL file

This third stage involves a DLL file, which we detect as TSPY_SEDNIT.C. When the PE file triggers the DLL (in this instance, %windir%\system32\RunDll32.exe Command: “%windir%\system32\RunDll32.exe ” “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ap i-ms-win-downlevel-profile-l1-1-0.dll”,init), the following traffic was observed.

It bears stressing that we do not encourage using the data presented above as IOCs for your own analysis. The network traffic generated by this stage was a challenge to assess as it appears to have polymorphic capabilities in the creation of URI paths utilized to pull down files. After assessing the samples multiple times, each network traffic infection sequence appeared to be different, no matter what sequence of testing was performed (e.g., same machine, different machines, different geographic IP space globally, etc.).

After detailed network forensics of the traffic, it was determined that no single stable URL path or URI query component (URI path component, file name, or URI query parameter) showed a consistent pattern (either same entry nor regex definable pattern), and further reverse engineering was required to determine the methods used to achieve this.

As a result of this additional analysis, it was determined that the URI path is a random generated string with the following pattern:

Included in the POST request is a data encoded with Base64 and XOR encryption. The encoded data contains the following system information of the infected machine:

OS Version

List of running processes

Hard Disk Drive Information

Volume Serial Number

TSPY_SEDNIT.C connects to three C&C servers:

192[.]111[.]146[.]185 (direct to IP call)

www[.]acledit[.]com

www[.]biocpl[.]org

After sending the encrypted data it will wait for a reply which is encrypted by the same algorithm above.

Phase 2 of the attack: the keystroke logger

Based on our investigation of Operation Pawn Storm, we know that the infection happens in two stages:

In phase 1, opening the email attachment or clicking on the malicious URI initiates the download of the first level dropper, which installs the downloader component (.DLL file).

In phase 2, the downloader component communicates with a C&C server and downloads other components, and at the end of the chain a keylogger is installer. The keylogger sends data back to the C&C server.

As of writing, we have not succeeded in triggering Phase 2, which will download a fourth stage malware from the C&C servers. This fourth stage malware is expected to be an encrypted executable file.

Victims of the Attack

A number of victims were identified during the course of our investigation. The targets are in the United States or Canada, and those we were able to identify via IP are big defense contractors, as typical for Operation PawnStorm.

Countermeasures

Trend Micro is already able to protect users against this threat without any necessary updates. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior. The Browser Exploit Prevention feature in the Endpoint Security in Trend Micro™ Smart Protection Suite detects the exploit once the user accesses the URL that hosted it. Our Browser Exploit Prevention detects user systems against exploits targeting browsers or related plugins.

Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule:

The following table summarizes the identified stable IOCs that can be used to search for this attack. The “Precision” column indicates how close to the direct parameter the indicator is, inversely indicating likelihood of collateral false positives.

Trend Micro first came across this vulnerability (and exploit) as part of our ongoing investigations on Operation Pawn Storm. We found email messages targeting a certain armed forces of a NATO country and a US defense organization contained these malicious URLs where the Java exploit is hosted. This exploit sets off a chain of malware infections that lead to its final payload: an information-stealing malware.

More details about the connections between Pawn Storm and this vulnerability will be made available in an upcoming blog entry.

Trend Micro is already able to protect users against exploits targeting this vulnerability without any necessary updates. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior. The Browser Exploit Prevention feature in the Endpoint Security in Trend Micro™ Smart Protection Suite detects the exploit once the user accesses the URL that hosted it. Our Browser Exploit Prevention detects user systems against exploits targeting browsers or related plugins.

Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule:

Known as “Operation Ghost Click,” by the FBI, more than a hundred servers belonging to the Esthost/Rove Digital group were taken offline. The group’s data centers in New York and Chicago were raided and more than 4 million victims were given over half a year to change over to non-malicious DNS servers.

Almost four years after the takedown, the leader of this particular cybercrime group, Vladimir Tsastsin, has pleaded guilty to various charges before a US federal magistrate. He now faces up to six years in a US federal penitentiary.

At its heart, the Esthost/Rove Digital scheme was a relatively simple one: plant DNS changer malware onto user systems and redirect queries for popular domains to malicious servers. This allowed the attackers to redirect the traffic aimed at these domains and carry out hard-to-detect but profitable attacks like hijacking search results and replacing website advertising. In addition to this, fake antivirus malware was also an important source of revenue for this organization.

The attackers favored these methods as they were relatively difficult to detect and could be sustained for a long time. However, the group’s activities were already something that Trend Micro was aware of as early as 2006; even then we were already keeping track of their activities.

In 2009, law enforcement agencies in Estonia and the United States began working with other organizations to help bring the activities of Esthost/Rove Digital to a halt; Trend Micro was the only antivirus company that joined this joint effort.

Our research on the takedown was an essential part of the case against Esthost/Rove Digital, and was indispensable to putting Tsastsin in jail.

Tsastsin, before his arrest

Six leaders of the scheme were arrested at the time of the takedown, including its mastermind Vladimir Tsastsin. It was not until late 2014 that he was extradited to the United States and formally charged. With his guilty plea, Tsastsin’s trial now moves on to sentencing. He faces up to six years in prison, with a sentence set to be handed down in October.

Time and the courts have caught up to Tsastsin. This highlights how Trend Micro is committed to working with law enforcement agencies from across the world to help stamp out cybercrime and make the world safer for users.

Our Forward-looking Threat Researchers, including Feike Hacquebord, who was a key part of this investigation, have worked side-by-side with law enforcement agencies across the world to help root our various cybercrime organizations.

A 20-year-old college student whose underground username is Lordfenix has become one of Brazil’s top banking malware creators. Lordfenix developed his underground reputation by creating more than a hundred online banking Trojans, each valued at over US$300. Lordfenix is the latest in a string of young and notorious solo cybercriminals we’re seeing today.

Who is Lordfenix?

Lordfenix is a 20-year old Computer Science student from Tocantins, Brazil. We were able to trace his activity back to April 2013. At the time, he was operating under a different handle, Filho de Hakcer (Portuguese for “hacker’s son,” but misspelled). He was posting in forums, asking for programming assistance for a Trojan he was supposedly creating.

Figure 1. Forum post of Lordfenix, then Filho de Hakcer

Based on a photo he posted on Facebook dated September 2013, it appears he was successful in his work.

Figure 2. Facebook post boasting of his success with his Trojan

Information theft via fake browsers

Lordfenix has since continued to develop and sell banking Trojans, one of which we detect as TSPY_BANKER.NJH. This Trojan is able to identify when a user types any of its target banks’ URLs. Among these targets are Banco de Brasil, Caixa, and HSBC Brasil.

It is then able to close the current browser window (if it’s running on Google Chrome), display an error message, and then open a new fake Chrome window. This whole routine is almost unnoticeable since the browser windows are switched seamlessly. In case the user’s browser is Internet Explorer or Firefox, the original window stays open, but the error message and the fake browser window still appear.

Figure 3. Fake browser window

Figure 4. Spoofed HSBC Brasil banking site

Figure 5. Spoofed Banco de Brasil banking site

If the user enters his login credentials in the fake window, the malware sends the information back to the attacker via email—the same email address Lordfenix used during his “Filho de Hakcer” days.

For added protection against security products, this malware terminates the process GbpSV.exe. This process is associated with the software G-Buster Browser Defense, a security program many Brazilian banks use to defend against information theft and protect their customers’ privacy during online transactions.

Cybercrime for free

Lordfenix has grown quite confident in his skills. We found him offering free versions of fully-functional banking Trojan source code to underground forum members. He claims these free versions can steal credentials from customers of four different banks. But this generosity has a limit. If other members would like to target more banks, they would have to contact him, and he would sell them TSPY_BANKER.NJH. We checked this banking Trojan and it is, in fact, operational.

Figure 6. Forum post advertising free banking Trojan source code

We also found him advertising banking Trojans through his Skype profile. There, the Trojans are referred to as keylogger (KL) proxy—based on the keylogging capabilities of the malware.

Figure 7. Lordfenix’s Skype profile

Cybercriminal upstart

Based on our research, Lordfenix has created more than 100 different banking Trojans, not including his other malicious tools, since April 2013. With each Trojan costing around R$1,000 (roughly US$320), this young cybercriminal channeled his talent in programming into a lucrative, illegal venture.

Aside from the ease of creating malware, a few other factors may have urged Lordfenix to start up his own little enterprise:

Brazil has a huge online banking user base. In 2013 alone, around 51% percent of all banking transactions within the country were done via the Internet.

Digital crime is not necessarily a top priority in Brazil. The penalties against offenders are currently very low.

Despite working alone and being only 20 years old, Lordfenix has managed to make his name known among his fellow criminals. His story—the young cybercriminal inflicting serious damage—is near-identical to that of the teens developing mobile ransomware in China. He is also not the first solo operator we have noted this quarter. The likes of Frapstar (Canada) and the cybercriminals behind FighterPOS (Brazil) and HawkEye (Nigeria) are all individual players using basic malware to gain profit.

In cybercrime, it doesn’t matter if the criminal is a veteran or a newbie. The result remains the same: ordinary users become victims.